GitHub Secret Action Integration

[justadaniel]

Hey, I'm working on a plugin that requires using an app key (UUID like an app secret). that I'll be storing in my repository as a GitHub Secret so it's not committed to source. I want to use that key to connect to a service via REST APIs however, I can't seem to figure out how to incorporate that into the GitHub ZXP build action. Is there a recommended way of doing this? I'm not a novice to programming whatsoever, but I just don't understand how it works from the GitHub action perspective. Thanks!

[justintaylor-dev]

@justadaniel you'll want to look up how env vars work with

• Vite: Custom environment variables #41
  and
• GitHub Actions: https://github.com/Azure/actions-workflow-samples/blob/master/assets/create-secrets-for-GitHub-workflows.md

Once you have that working, note that your API key / secret will be stored in plain text unless you encrypt it somehow.

Depending on how far you want to secure this, you can look into various JS obfuscation plugins for Vite/Rollup (here's an example):

• https://www.npmjs.com/package/vite-plugin-obfuscator
• https://github.com/mohamad-supangat/vite-plugin-gnirts

But note that JS obfuscation isn't 100% secure, it can be reverse engineered given enough time. So you might want to also look into OAuth, JWT, or other token-based limited auth methods to suit your needs.

Closing out this issue as it's not something that needs to be fixed in Bolt. If you want to chat more, hit me up in the Discord, link in the readme.